POS Vendor Uses Same Short, Numeric Password Non-Stop Since 1990

mask.of.sanity writes: Fraud fighters David Byrne and Charles Henderson say one of the world's largest Point of Sale systems vendors has been slapping the same default passwords – 166816 – on its kit since 1990. Worse still: about 90 per cent of customers are still using the password. Fraudsters would need physical access to the PoS in question to exploit it by opening a panel using a paperclip. But such physical PoS attacks are not uncommon and are child's play for malicious staff. Criminals won't pause before popping and unlocking. The enraged pair badged the unnamed PoS vendor by its other acronym labelling it 'Piece of S***t.

Odd Findings

The pair iterated some brazen criminal and hopeless customer cases they each dealt with while at Trustwave where PoS systems had been compromised. ...
In another, forensics were left stumped by a carder's keylogger which had logged repeat keys (such as aaaaa ggggg bbbbb) entered on the PoS server. It was later revealed staff had used the machine to play Guitar Hero, Call of Duty, and download porn.

Forensics had even established which songs were played based on the logged keys.

The researchers found that next to the ubiquitous use of the password 166816 amongst separate manufacturers, that Deep Purple's "Smoke on the Water" was the most played song on compromised PoS terminals. Strange.

Out POS Solution is worse

[toadlife]

Our solution by Food Service Solutions has a hard-coded superuser admin account with the username of "a" and the password of "a."

It's used by thousands of institutions.

You can't disable it.

Re:Not a Piece of Shit

[DutchUncle]

... And every single customer will wind up calling customer service asking why they can't get into their system. The papers got filed in shipping, or in finance, or tossed with the packaging. Maybe you could print it on a sticker, just like the serial number; then you have the physical security issue, but at least there's no global exposure.